Re: [Shorewall-users] Shorewall and Quagga

Wed, 28 Feb 2018 08:00:59 -0800 

On 02/28/2018 01:46 AM, Olivier CALVANO wrote:
> Hi
> 
> thanks for your answer, 
> 
> i use: Shorewall 5.0.14
> 
> Checking using Shorewall 5.0.14.1...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Checking /etc/shorewall/zones...
> Checking /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Checking /etc/shorewall/policy...
> Running /etc/shorewall/initdone...
> Checking TCP Flags filtering...
> Checking Kernel Route Filtering...
> Checking Martian Logging...
> Checking /etc/shorewall/masq...
>    WARNING: Using an interface as the masq SOURCE requires the interface
> to be up and configured when Shorewall starts/restarts/reloads
> /etc/shorewall/masq (line 1)
> Checking MAC Filtration -- Phase 1...
> Checking /etc/shorewall/rules...
> Checking /etc/shorewall/conntrack...
> Checking MAC Filtration -- Phase 2...
> Applying Policies...
> Checking /usr/share/shorewall/action.Drop for chain Drop...
> Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
> Shorewall configuration verified
> 
> 
> i have 1 warning, it's masq the problems ?
> 

Yes -- that is very likely the problem. If you use BGP to manage routes
from an interface, using that interface in the SOURCE column of the masq
file will cause the problem that you describe.

In that situation, it is better to list the subnet(s) that you *don't*
want to be masqueraded/SNATed using '!net1,net2,...' in the SOURCE column.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to